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Abstract — In this report proofs are presented for a method 
for abstracting continuous dynamical systems by timed au- 
tomata. The method is based on partitioning the state space 
of dynamical systems with invariant sets, which form cells 
representing locations of the timed automata. 

To enable verification of the dynamical system based on 
the abstraction, conditions for obtaining sound, complete, and 
reflnable abstractions are set up. 

It is proposed to partition the state space utilizing sub-level 
sets of Lyapunov functions, since they are positive invariant sets. 
The existence of sound abstractions for Morse-Smale systems 
and complete and reflnable abstractions for linear systems are 
proved. 

I. Introduction 

Verifying properties such as safety is important for any 
system. Such verification is based on reachability calcula- 
tions or approximations. Since the exact reachable sets of 
continuous and hybrid systems in general are incomputable 
[1] a lot of attention has been paid to their approximations. 
Yet reachability is decidable for discrete systems such as au- 
tomata and timed automata; consequently, there exists a rich 
set of tools aimed at verifying properties of such systems. 
Therefore, abstracting dynamical systems by discrete systems 
would enable verification of dynamical systems using these 
tools. 

There are basically two methods for verifying continuous 
and hybrid systems. The first is to over-approximate the 
reachable states by simple convex sets as in [2]. The second 
method is based on abstracting the original system into a de- 
scription with reduced complexity, while preserving certain 
properties of the original systems. This is accomplished for 
hybrid systems in [3] and for continuous systems in [4]. 

In this work, continuous systems are abstracted by timed 
automata. This concept is primarily motivated by [4] where 
slices are introduced to improve abstractions of continuous 
systems. A slice is a counterpart of a single direction in 
continuous systems. 

This technical report is devoted to proving the propo- 
sitions presented in the paper "Abstraction of Continuous 
Dynamical Systems Utilizing Lyapunov Functions", written 
by Christoffer Sloth and Rafael Wisniewski for the 49 th IEEE 
Conference on Decision and Control (CDC) [5]. Therefore, 
that paper can be consulted for further insight in the abstrac- 
tion method. In that paper the idea of considering both cells 
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and slices for abstractions was adopted to provide as solution 
to the following problem. 

Problem 1: Given an autonomous dynamical system, find 
a partition of its state space, which allows arbitrary close 
over-approximation of the reachable set by a timed automa- 
ton. 

The abstraction to be addressed preserves safety and has 
an upper bound on the size of the over-approximation of the 
reachable set. Furthermore, it is possible to reduce the size 
of the upper bound to an arbitrary small value, for a class of 
systems, by refining the partitioning. Hence, we can obtain 
an abstraction with arbitrary precision of the reachable set. 

II. PRELIMINARIES 

The purpose of this section is to provide some defini- 
tions related to autonomous dynamical systems and timed 
automata. 

An autonomous dynamical system T = (X, /) is a system 
with state space X C R™ and dynamics described by 
ordinary differential equations / : X — > R™ 



x = f(x). 



(1) 



The function / is assumed to be locally Lipschitz. Addi- 
tionally, we assume linear growth of /, then according to 
Theorem 1.1 in [6] there exists a solution of ([TJ on (— oo, oo). 

The solution of ([TJ, from an initial state x € X at time 
t > is described by the flow function (fir ■ [0, e] x X — > X, 
e > satisfying 



d<fir(t,x ) 
dt 



(2) 



for all t > 0. 

Lyapunov functions are utilized in stability theory and are 
defined in the following [7]. 

Definition 1 (Lyapunov Function): Assume that a map- 
ping / : R™ -> R" is continuous on G C R" and that G 
is open and connected. Then a real non-degenerate function 
ip : R™ — > R U {— oo, oo} differentiable on G is said to be 
a Lyapunov function for the differential equation shown in 
Qif 



p is a critical point of / p is a critical point of tp 

j = l 3 



= if x = p 

< if x e G\{p} 



(3) 
(4) 



and 3 a > and an open neighborhood of each critical point 
p, where 

Htell >a\\x-p\\. (5) 
Note that we do not require positive definiteness of ip. 

Definition 2 (Reachability for Dynamical System): The 
reachable set of a dynamical system T from a set of initial 
states Xq Clon the time interval [fi,ta] is defined as 

Reach [tl , t2] (r,X ) = {x G X\3t G [ti,t 2 ], 3x Q G X , 

such that x = (f>r(t, Xq)}. (6) 
The dynamical system will be abstracted by a timed 
automaton. Therefore, a definition of timed automaton is 
provided in the following [8]. In the definition, a set of clock 
constraints 4 r (C) for the set C of clocks is utilized. ^(C) 
contains all invariants and guards of the timed automaton, 
consequently it is described by the following grammar [9]: 

%jj ::= ci to k\ci — c 2 IX k\ipi A ip 2 , where (7) 
ci, c 2 G C, fe e Z, and cog {<, <, =, >, >}. 

Note that the clock constraint k should be an integer, but in 
this paper no effort is done in converting the clock constraints 
into integers. 

Definition 3 (Timed Automaton): A timed automaton, A, 
is a tuple (L, Lo, C, E, I, A), where 

• L is a finite set of locations, and Lq C L is the set of 
initial locations. 

• C is a finite set of clocks all with values in R>o- 

• E is the input alphabet. 

• I : L — > &(C) assigns invariants to locations, where 
^(C) is the set of all clock constraints, see 

• ACLx *(C) x E x 2 C x L is a finite set of transition 
relations. The transition relations provide edges between 
locations as tuples (I, Gj_>.;', a, Ri-yi>, I'), where I is the 
source location, /' is the destination location, Gi^y G 
4 r (C) is the guard set, a is a symbol in the alphabet E, 
and Ri^i' G 2 C gives the set of clocks to be reset. 

We use the mapping v : C —> R>o for a clock valuation on a 
set of clocks C. Additionally, the initial valuation is denoted 
vq, where vq(c) — for all c G C. 

Analog to the solution of ([T| shown in Q, a run of a 
timed automaton is defined in the following. 

Definition 4 (Run of Timed Automaton): A run of a timed 
automaton A is a possibly infinite sequence of alternations 
between time steps and discrete steps in the following form 

(v ,l ) («o+*i)'o) ^ (vi,h) — > ■■■ (8) 

The multifunction describing a run of a timed automaton is 
4>A '■ R>o xio^ 2 L . Here I G </u(i, Zo) if an d on ly if tne 
timed automaton A initialized in Iq can be in location / at 
time t = 2~2iU- 

From the run of a timed automaton, the reachable set is 
defined below. 

Definition 5 (Reachability for Timed Automaton): The 
reachable set of a timed automaton A with initial locations 



Lo on me ti me interval [t\ , £2] is defined as 

Reach [tltta] (A, Lq) = {I G L\3t g [ii,i 2 ],3fo e L 0) 

such that ^ G 0^(i,/ o )}. (9) 

III. Generation of Finite Partition 

A finite partition of the state space of the considered 
system is generated using slices, which are set-differences 
between positive invariant sets. 

Proposition 1: If Si iti ^2 ^ then 

int(Si H S2) 7^ 0- (10) 
Proof: Let p G bd(Si) ftl bd(S 2 ) by Theorem 7.7 in 
[10] there exists a local coordinate system (T, U) such that 

T(5i fill) = c R™ (11a) 
T(5 2 n C/) = i?+ c R n (lib) 

where flj and flj" are supporting hyperplanes of 5 1 ! and 
S 2 . Thus dim(iJ+ ftl H+) = n. ■ 
Note that the intersection of slices may form multiple 
disjoint sets. Therefore, the intersection of k slices is denoted 
an extended cell e ex>g . Each of the disjoint sets of an extended 
cell e ex , g is called a cell e g i f l , 

IV. Generation of Timed Automaton from Finite 
Partition 

A timed automaton is generated by associating each cell 
of a partition with a location and by inserting guards and 
invariants calculated based on the dynamics. The method is 
presented in [5] and is very similar to the method presented 
in [4]. 

Proposition 2: A (S) is a deterministic timed automaton, 
if and only if for each cell ei g M an d for all i = 1, . . . , fe the 
set 

e (9,h)f)4>r l ( a (i,gi-1.)) ( 12 ) 

is connected. 

Proof: If e( s jj) p| V'j" 1 ( a (i,ff i -i)) is not connected for 
some i, then <jj is the label of multiple outgoing transitions 
from the location etgM, i.e. there exist multiple transitions 
in A, where etg^s is the source location and a t is the label. 
Therefore, the timed automaton A (S) is nondeterministic. 

■ 

Proposition 3: Let A ex (S) be a timed automaton, with 
locations associated to extended cells, and let the slices of S 
be generated such that for each pair Su gi ) and SVj, s -), with 
t, j G {l,...,fc}, 9i G {l,...,|<Si|}, g 3 G {1,...,|'4-|}, we 
have 

%«) ^ v ^i- (13) 

Then _4 e x(<S) is isomorphic to the parallel composition of k 
timed automata each generated by one slice-family Si. 

Proof: Consider the timed automaton 

A\\(S) = ^i(«Si)||...||^fc(«S fc ) where M^i) = 
{Li,Lo fi ,Ci,Tn,Ii, Aj) and Li = {^(,,1), • • • , £(i,|s ( |)}> 
abstracting the slices Sux\,...,Su\s i \)- Then the timed 
automaton -A||(«S) is given by 



Locations: L = Ij x •■■ x L k , which according to 
Definition 10 in [5] represents extended cells, if the 
transversal intersection of all slices is nonempty i.e. ( p~3] > 
is satisfied. 

Clocks: C — {ci, . . . , Cfc}, where Cj monitors the time 
for being in a slice of Si. 

Invariants: The invariant for location / exg = 
■ ■ ■ ,l(k, gk )) is identical to (18) in [5] and is 



I(kx,g) = f\ h(l(i, gi ))- 



(14) 



. Input Alphabet: E = {<n, . . . , &/.}■ 
• Transition relations: E^ is disjoint from Ej for all i ^ 
j; hence, item 1) in Definition 15 in [5] never happens. 

This implies that A\\(S) = .Ai(«Si)|| . . . || A k (S k ) and 
A ex (S) are isomorph. ■ 
Proposition 5: Let S — {Si, . . . ,Sk} be a collection of 
slice-families, and ipi be a partitioning function for Si. The 
timed automata A ex (S) and A(S) are bisimilar if for each 
cell e^ g< h) G K(S) and each i G {1, . . . , k} 

e^n^ 1 ^--!)) ^ V/lor (15a) 

e {ff,h)n^ 1 (a(i,»-i)) = V/l - < 15b ) 
If ( p"5j ) holds, then all cells in each extended cell have the 

same symbols on their outgoing transitions. 

Proof: Let &(g,h) with h = 1, . . . , m be the cells which 

union is the extended cell e ex , g . Then 

/(e (9)ft) ) = /(e (5!fe) ) VMe{l,...,m} (16) 

as the invariants are calculated based on slices (18) in [5]. 

If the partition satisfies ( fT5j ), then the same outgoing 
transitions exist for all cells within the same extended cell. 
Furthermore, 

G (g,h)-y(g',h') = G(g,k)-+(g',k') V/l, k G {1, . . . , m} (17) 

since the guards are also calculated based on slices (19b) in 
[5]. This implies that all possible behaviors from each cell 
in an extended cell are the same; hence, A(S) is bisimilar 
to a timed automaton A ex (S). ■ 

V. Conditions for the Partitioning 

A sound and a complete abstraction of a dynamical system 
is illustrated in Fig. [TJ Definitions of sound and complete 



X 



Fig. 1. Illustration of the reachable set of a dynamical system (gray) from 
initial set Xo and a sound approximation of this (cells within bold black 
lines) on the left and a complete abstraction on the right. 

abstractions are available in [5]. 



Proposition 6: A timed automaton A ex — Ai\ \ ... \ \Ak, 
with locations abstracting extended cells, is a sound (com- 
plete) abstraction of the system T if and only if A±, . . . , Ak 
are sound (complete) abstractions of T. 

Proof: If the locations of A ex are extended cells, then 
soundness of A ex can be reformulated to the following. 

A timed automaton A ex with Lq = {e ex , ff |<7 G Go Q G} is 
said to be a sound abstraction of T with Xq = [J ge g e ex .g 
on [ti, t 2 ] if for all t G ^1^2] and for all g e G 
k 

Q% ffi) nReach [M] (r,Jf ) ^0 implies (18a) 

i=i 

3/o G Lq such that 

k 

n s (<rfO ea K(^«(*>*o)) (18b) 

i=l 

which is equivalent to: For alH = {1, . . . , k}, all g G G, and 

for all t G [t\,t 2 ] 



n Reach [tit ] (T, X ) ^ implies 
3Zq i G i such that 



(19a) 
(19b) 



a K {<t>Ai(t,lo,i)) = 

From ( [T9l > it is seen that A ex = A\ \ \ . . . \ \Ak is sound if and 
only if Ai is sound for i = 1, . . . , k. Similar arguments can 
be used to prove the completeness part of Proposition [6] ■ 

Proposition 7 (Sufficient Condition for Soundness): A 
timed automaton A(S) is a sound abstraction of the system 
r, if its invariants and guards are formed using 

K*,9i) - a (i,9i-l)\ 



to < 

- b (i,9i) 



sup{|^(a;)| e R> |a; G S( ii3i )} 

|g(i, gi ) ~ q (i,g,-i)l 
inf{|V>;(a;)| G R> |^ G % ffj )} 

where tpi(x) is defined as shown in Q. 

Proof: Let ^4(5) be a timed automaton with Lo 
{ej|i G I}, be an abstraction of T with initial set Xq 

e 



(20a) 
(20b) 



[J ie x e i- If guards and invariants of A(S) satisfy ( p0| >, then 

Reach [tlit2] (r,X ) C a^fReach^^^io)) (21) 

since for all xq £ ? /' l _1 ( a (i,gi)) mere exists t S 
[to ,ts,. ,1 such that 



0r(i,a;o) G V 4 X (o(i, ff< -i))- 



(22) 



Proposition 8 (Sufficient Condition for Completeness): 
Let 5 = {Si\i = 1, . . . , fc} be a collection of slice-families 
and let 

%9i) = ^(Ki.ffi-l)'^*)])- ( 23 ) 
A deterministic timed automaton is a complete abstraction if 

!) %, 3i ) = ts lt ) = *(»,«) and 

2) for any g E G with > 2 there exists a time £(j, gi ) 
such that Vi £ ?/' i _1 (a( i . g .)) 



(24) 



Proof: The proposition states that it takes the same 
time for all trajectories of T to propagate between any two 
level sets of fa. From this it follows that A(S) is complete 
if i S(i>gi) and t S( . g) are equal to i(j, 9j ). ■ 
Proposition 9 (Nec. Cond. for Refinable Abstraction): If 
„4(5) is a refinable abstraction of a system V, then S is a 
collection of n slice-families. 

Proof: If A(S) is a refinable abstraction, then for any 
e > there exists a partitioning K(S) such that (30) in [5] 
holds for cells in K(S). Therefore, 

S (im) Cip-\a^ gi) ) + B(e) (25) 

where e > 0. Note that is a regular value of fa, i.e. 

the dimension of the level set V'i ( a (i,3i)) is n — 1. The 
locations of A(S) are cells for which 

U e (9^) =(tl i=l %«) (26a) 

Cftlt 1 ^- 1 (a (li3i) ) + B(2e). (26c) 
But ( |26c| i is true for any e, thus it is enough to prove that 

dim(rh i fc =1 ^- 1 (o (iiW) ))=0. (27) 

Using Theorem 7.7 in [10] the dimension of an extended cell 
is given by 

dim ^r 1 (0(i,m))) 

= [[(n - 1) + (n - 1) - n] + (n - 1) - n] 

+ (n - 1) - n . . . (28a) 

= k(n -l)-(k- l)n. (28b) 

We see that if k ^ n then dim (rtlf =1 V'i~ 1 ( a (i,gi))) 7^ 0, thus 
we have contradiction. We conclude that k = n. ■ 

VI. Partitioning the State Space Using Lyapunov 
Functions 

Positive invariant sets are used in stability theory in the 
form of sub-level sets of Lyapunov functions. This concept 
is adopted in this work to synthesize partitions. 

Definition 6: Two Lyapunov functions -01 , "02 : R™ R 
are transversal if the level sets ■0f 1 (a) and faj (a) are 
transversal for any a E R\{0}. 

Proposition 10: Let n > 1. For any Morse-Smale system 
(see Chapter 4 in [11]) on R™ there exists n transversal 
Lyapunov functions. 

Proof: Let S(n, R) be a set of n x n symmetric matri- 
ces. S(n, R) is a subspace of M(n,R) of dim(S'(n,R)) = 
n(n + 1)/2. Consider the map ^ : S^n, R) — !• S(n, R) and 
let 

P i— > A T P + PA. (29) 
Now consider the map det : M (n, R) — > R and let 

A^det(A). (30) 
Then (deto "0a) 1 ({0}) is a closed set. Therefore, 

U A = {PeS(n,M)\deto^ A (P)^0} (31) 



is an open set. Va = V fl U a is open, where 

y = {P € ^(n, R)|det(P) ^ 0} (V is open). (32) 

Let 6 = S^n, R)|Q > 0} by Proposition 2.18 in [11] 

the map 

M(n, R) -> CVS" defined by (33) 
L H> diag([Ai, . . . , A„]) is continious. (34) 

Thus 9 is an open set in S(n, R). 

We pick an open neighborhood around Q = A T P + PA and 
denote it U. Then for every Q' E U there exists a (unique) 
P, thus ■0^ 1 ([7) is a nonempty open set in >S'(n ) R). 

We can pick n linear independent matrices P 1: . . . , P n € 
This is possible because fa^iU) is open in S(n, R) 
and dim(5(?i, R)) is n(n + l)/2. Then for any a € R\{0} 
and i ^ j 

{x 6 R n \x T PiX = a} rh {x e R™|a; T P J a: = a}. (35) 

Extending this to Morse-Smale systems follows directly from 
Theorem 1 in [7]. ■ 

A. Complete Abstraction 

A complete abstraction of ([T| can be obtained by con- 
structing a partition generated by Lyapunov functions, which 
satisfies Proposition [8] 

Proposition 11: Let each slice-family of S = {Si\i = 
1, . . . , k} be associated with a Lyapunov function fa(x) for 
the system T, such that SVjj) = V' J ~ 1 ([ a (ij'-i)i a (»,j)D 
let 

0,(x) = a^i(x) VieE" (36) 

Then -4(5) is a complete abstraction of T. 

Proof: Let fa[x) be a Lyapunov function for the system 
r and let x, x' € -0 _1 (a m ). According to Proposition [8] the 
abstraction is complete if there exists a t m , for m = 2, . . . , k 
such that 

0rOm,£),<Mim,2 y ) € V'^^m-l)- (37) 

This is true if 

^M^))-V# r (i,<)) = Vi. (38) 

The combination of ([37) and ( |3~8"j ) implies that for all c > 
there exists an a such that 

1>- x (c) = (~) (39) 

hence for all a; there exists an a such that 

fa[x) = aip(x). (40) 

■ 

Proposition 12: For any hyperbolic linear system T there 
exists n transversal Lyapunov functions ipi(x) each satisfying 

fa{x) = afa(x) Vx G R". (41) 
Proof: This is proved for linear systems, by construct- 
ing the complete abstraction. 



Consider a linear differential equation 



±1 




'Ai/i 







Xi 


*2_ 











. X 2 



(42) 



where I\, I2 are identity matrices and Ai < and A2 > 0. 

The stable and unstable subspaces of |42) are orthogonal 
and can be treated separately. This system is divided into a 
stable space described by x% and an unstable space described 



by X2. For i e {1,2} let ipi 



PiXi be a quadratic 



Lyapunov function. Then its derivative is ip(xi) = x\ 
where 



2A;P,; 



for i = 1,2. 



(43) 



This implies that any quadratic Lyapunov function satisfies 



Proposition 1 1 and hence generates a complete abstraction. 

Since hyperbolic linear systems are topologically conju- 
gate if and only if they have the same index [12]. There is 
a homeomorphism h : R™ — > It™ such that any hyperbolic 
linear system is topologically conjugate of ( |42| ), by choosing 
Ii and I 2 appropriately. Note that h is a diffeomorphism on 
R"\{0}. 

This implies that there exists a complete abstraction of 
every hyperbolic linear system. ■ 

VII. Conclusion 

In this report proofs associated with a method for ab- 
stracting hyperbolic dynamical systems by timed automata 
have been presented. The method is based on partitioning 
the state space of the dynamical systems by set-differences 
of invariant sets. 

To enable both verification and falsification of safety 
properties for the considered system based on the abstraction, 
conditions for soundness, completeness, and refinability have 
been set up. Furthermore, it is shown that the abstraction 
can be obtained as a parallel composition of multiple timed 
automata under certain conditions. 

Finally, it is shown that there exist sound and refinable 
abstractions for hyperbolic Morse-Smale systems. Addition- 
ally, it is shown that there exist complete and refinable 
abstractions for any hyperbolic linear systems. 
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